Use A Passphrase

Why should I use a random passphrase?

Because humans are terrible at creating secure passwords. The famous xkcd comic got it right: humans have been trained to use hard-to-remember passwords that are easy for computers to guess.

ADVERTISEMENT

Try as we might, humans usually end up using one of a few predictable patterns when creating passwords. We base them on things we can remember, such as names, locations, dates or just common English words. Then, we add some spice with a capital letter, some numbers, or a symbol.

Does your password fall into this group?

Bad Password Patterns

Is It Memorable?

Time To Crack

A common word (example: december)

Yes.

18 milliseconds (Seriously. Try it in the box at the top.)

An easily-typed spatial word (example: qwerty or aaaaaaaa)

Very much so.

10 milliseconds

The family dog (example: rusty)

Yep.

27 milliseconds

An important number, such as a date or zip code (example: 03261981)

It's memorable to you, certainly.

2.213 seconds

A word with trivial letter→number substitutions (example: S4nfr4n)

Sort of memorable, but you may forget which letters are substituted for numbers.

639 milliseconds

If your password resembles any of these examples, it is instantly crackable. Even a mix of these patterns, such as [common word]+[number] will be straightforward to crack.

After exhausting those wordlists, they will try all of the words again with common substitutions: capitalizing the first letter (december → December), making common letter-for-number swaps (december → d3cemb3r), and other common password variations.

If your password is based on any kind of pattern, using some combination of the above steps, it will eventually be cracked. Depending on how well-protected a website keeps your password, modern computers can make somewhere between 10,000 and 350 billion guesses per second.

Your best defense is using a truly random password generator (like this site).

I get it, simple passwords are cracked easily. But why should I use a random passphrase instead of, say, ipz2!az8k%0h?

There are dozens of random password generators out there that will happily put together a bunch of random characters for you to use as a password. These random passwords are secure, but they're a huge pain to actually remember.

Random passphrases provide the best combination of memorability and security.

By way of example, here are two passwords with similar crackability:

Password

Time to crack

p%9y#k&yFm?

Approximately 90,182,663 centuries

logic finite eager ratio

Approximately 189,658,722 centuries

Which would you rather remember?

Fine, you've convinced me. I'll use a passphrase. What else can I do to increase my security?

The recipe for perfect password management is straightforward.

1. Use a password manager.

Firefox, Chrome, Safari and Internet Explorer all have built in password managers. But if you plan to use your passwords across devices, you probably should use one of these:

Should I really be getting my password from a website?

Honestly? Probably not. But in this page's defense, all passwords are generated in your browser and are not saved or sent anywhere.

For the truly paranoid, I recommend something called diceware, which is a completely offline, non-computer based method of creating passphrases. It involves six dice, and a printed wordlist. The author also recommends you close your blinds while doing it.

Thanks for reading, and stay secure!

Credits:

Lock icon created by Milky. The password strength algorithm uses zxcvbn.js, which was created by Dropboxer Dan Wheeler.

The algorithm assumes 10,000 guesses per second, which is consistent with passwords hashed using bcrypt, scrypt or PBKDF2. If a database contains passwords hashed with MD5 or SHA-256/512, then no amount of password security is really going to help.

I assume no responsibility if you use a password from this site and subsequently are hacked.